Have you reviewed your audit trail lately?  What is it telling you and your team? 

We all understand the importance of audit trails, and companies review audit trails in one way or another, but does your staff truly understand what the audit trail is stating? 

Processes in a GxP environment should be developed and implemented to prevent data integrity risk; however, prevention is not always possible, and firms need to be able to detect breaches in data integrity.  One of the tools at your disposal is the audit trail. 

When auditing various firms’ computerized systems, the audit trail is one of the most critical components to evaluate.  Audit trails are expected to contain who did what, when, and why any changes were made to the acquired data while maintaining the original or changed result.  Audit trail records are very system-specific (i.e., not the same from application to application) so it is important to ensure that the audit trails supporting your data capture the necessary information and that your end users (e.g., data reviewers and SMEs) understand where the audit trails reside and what they mean. 

SOPs should describe the need to review audit trails; however, in practice, SOPs tend to lack details regarding which audit trails are reviewed, the frequency of review and by whom, the specifics of what to review, and how to document compliance with SOP requirements.  Ask your staff which audit trails they review, how they review the audit trails, what they are reviewing exactly, and what the purpose of their review is.  You may be surprised by the answers you get. 

During routine audits, the FDA may request that audit trails be extracted to Excel files (if possible) to expedite reviews, or they can be reviewed on the live system.  We observed an audit trail from a particular computerized system that contained hundreds of entries, appearing each year the system was in use, with “Delete” in the description.  When SMEs were asked what these entries represent, no answer could be provided.  In fact, two days passed before a response was provided, which included assistance from the vendor.  Although the audit trail was frequently and routinely reviewed by the laboratory, the SMEs did not know what the “delete” entries represented.  Makes one wonder, what are the reviewers actually reviewing? 

Other questions to consider may include:  How many audit trails does each of your systems have (e.g., analysis audit trails, system audit trail, etc.)?  At what frequency are each of the audit trails reviewed, and by whom?  Have you leveraged the information captured in the audit trails to your advantage, making the reviews more meaningful, more robust, and more efficient?  Are the audit trails configured to capture the necessary information and, if not, why not? 

For further information or assistance in ensuring that your audit trails are robust and properly investigating them prior to the FDA’s review, please contact lcs@lachmanconsultants.com for a consult.